<font size="4"><font face="times new roman,serif">For 1, I am OK. For 2, I still confused, please see the inline comment.<br></font></font><br><div class="gmail_quote">On Sun, Aug 7, 2011 at 9:39 PM, Robin Sommer <span dir="ltr"><<a href="mailto:robin@icir.org">robin@icir.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im"><br>
On Thu, Aug 04, 2011 at 22:19 -0700, you wrote:<br>
<br>
> 1. From the "Class Layout" picture, every analyzer is derived from class<br>
> "Analyzer", but the wording also says that "The root node must always be of<br>
> type TransportLayerAnalyzer." So which one is the real root in the Bro's<br>
> code. yzer directly derived by "Analyzer") are located in this analyzer tree<br>
> structure.<br>
<br>
</div>There are two different trees here: (1) the class hierarchy, which is<br>
shown on the Wiki page and in which the Analyzer class is the root;<br>
(2) the tree of analyzer *instances* instantiated for each connection<br>
at runtime. In the latter, a TransportLayerAnalyzer instance must be<br>
the root. The paper may help:<br>
<a href="http://www.icir.org/robin/papers/usenix06.pdf" target="_blank">http://www.icir.org/robin/papers/usenix06.pdf</a><br>
<div class="im"><br>
> So what is the differences between TCP_ApplicationAnalyzer and<br>
> TCP_Analyzer.<br>
<br>
</div>The TCP_Analyzer analyzes TCP itself, while a TCP_ApplicationAnalyzer<br>
analyzes an application-layer protocol that's running on top of TCP.<br>
The former passes payload data on to the latter that's why they are<br>
linked in the analyzer tree.<br></blockquote><div><br></div><div>So it seems that TCP_ApplicationAnalyzer behave like a helping interface between TCP protocol and other application-over-TCP protocol. I would also like to learn how TCP_Analyzer passes payload to TCP_AppliationAnalyzer in implementation. For the DNP3 protocol, I actually have to write two application level analyzer and one passes the payload to the other one to do some further parsing. I would like to refer TCP's implementation. </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Robin<br>
<font color="#888888"><br>
--<br>
Robin Sommer * Phone <a href="tel:%2B1%20%28510%29%20722-6541" value="+15107226541">+1 (510) 722-6541</a> * <a href="mailto:robin@icir.org">robin@icir.org</a><br>
ICSI/LBNL * Fax <a href="tel:%2B1%20%28510%29%20666-2956" value="+15106662956">+1 (510) 666-2956</a> * <a href="http://www.icir.org" target="_blank">www.icir.org</a><br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Hui Lin<br>Research Assistant<br>DEPEND Research Group, ECE Department<br>University of Illinois at Urbana-Champaign<br><a href="mailto:hlin33@illinois.edu" target="_blank">hlin33@illinois.edu</a><br>